Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix unsafe bounds checks in ssl_load_session()
This commit replaces multiple bounds checks of the form `if( ptr + offset > end )` by `if( offset > end - ptr )`. The former is unsafe as the pointer arithmetic `ptr + offset` can overflow in case of a large value of `offset` paired with a value of `ptr` close to the (virtual) address boundary. The latter bounds check, in turn, is always safe if `offset` is a signed integral value, even if `ptr` happens to be larger than `end` (which should never happen, but it's better to be prepared just in case). Concretely, ssl_load_session() contains the bounds check `if( p + cert_len > end )` where `cert_len` is a 24-bit value of type `size_t`. This check is accordingly replaced by `if( (int) cert_len > end - p )`; the explicit cast `(int) cert_len` is safe because `int` is assumed to be 32-bit wide and paddingless, hence capable of holding 24-bit values. Fixes Mbed-TLS#659 reported by Guido Vranken.
- Loading branch information